PointbasinPointbasin
Sign in

Pointbasin Legal

Privacy Policy

Last updated: May 20, 2026

Pointbasin™ ("Pointbasin", "we", "us", or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard information when you visit pointbasin.com, use our mobile applications, agentic shopping services, merchant tools, developer APIs, or interact with us in any other way (collectively, the "Services").

This Policy is designed to satisfy the requirements of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA"), Brazil's LGPD, Canada's PIPEDA, Australia's Privacy Act 1988, Singapore's PDPA, and other comparable data-protection laws worldwide. Where local law affords you greater rights, those rights apply.

1. Data Controller and Contact

For users in the European Economic Area ("EEA"), United Kingdom, and Switzerland, Pointbasin acts as the data controller for personal data processed in connection with the Services, unless we explicitly state we are acting as a processor on behalf of a merchant or developer customer.

  • Controller: Pointbasin, Inc.
  • Privacy contact: privacy@pointbasin.com
  • Data Protection Officer (DPO): dpo@pointbasin.com
  • EU/UK Representative: available on request at privacy@pointbasin.com

2. Information We Collect

2.1 Information you provide

  • Account data: name, email address, password (hashed), role (Shopper, Developer, Merchant), profile preferences.
  • Merchant data: business name, tax identifiers, payout details, product catalog and inventory.
  • Transaction data: orders placed, items, amounts, shipping and billing addresses, refunds, and disputes.
  • Communications: messages with our support team, agent chat transcripts, survey responses.
  • Developer data: API keys, webhook endpoints, application metadata.

2.2 Information collected automatically

  • Device and log data: IP address, device type, operating system, browser, language, referring URLs, timestamps.
  • Usage data: pages and features used, agent prompts and responses (in aggregated and pseudonymous form for safety and quality), error reports.
  • Cookies and similar technologies: see our Cookies Policy.

2.3 Information from third parties

  • Identity providers (e.g., Google sign-in): name, email, and profile image you authorise.
  • Payment processors (e.g., Stripe): tokenised payment information; we do not store full card numbers.
  • Agent platforms (e.g., ChatGPT, Google AI Mode, Copilot): the order intent and parameters submitted to Pointbasin on your behalf.
  • Fraud and compliance providers: risk signals, sanctions screening, and verification results.

3. Legal Bases for Processing (GDPR / UK GDPR)

We rely on the following lawful bases under Article 6 GDPR:

  • Contract (Art. 6(1)(b)): to create your account, deliver orders, and provide the Services you request.
  • Legitimate interests (Art. 6(1)(f)): to operate, secure, and improve the Services, prevent fraud, perform analytics, and develop new features. You may object at any time.
  • Consent (Art. 6(1)(a)): for non-essential cookies, marketing emails, and certain agent personalisation. You may withdraw consent at any time without affecting prior processing.
  • Legal obligation (Art. 6(1)(c)): tax, accounting, anti-money-laundering, and consumer-protection compliance.
  • Vital interests / public interest (Art. 6(1)(d)-(e)): rarely, where necessary to protect a person's life or comply with a public-interest task.

We do not knowingly process special-category data (Art. 9 GDPR). If you submit it incidentally, you consent to its processing solely to respond to your request, and we will delete it promptly thereafter.

4. How We Use Personal Data

  • Provide, personalise, and secure the Services, including agentic checkout and order fulfilment.
  • Authenticate users, enforce role-based access (Shopper, Developer, Merchant), and prevent abuse.
  • Process payments, payouts, refunds, and chargebacks via our payment partners.
  • Communicate with you about transactional matters, security, and policy updates.
  • Send marketing communications where permitted, with an unsubscribe option in every message.
  • Comply with legal obligations and respond to lawful requests from public authorities.
  • Train and evaluate our AI models on aggregated and de-identified data; we do not use the content of your private messages, payment details, or addresses to train foundation models.

5. Disclosure of Personal Data

We share personal data only as follows:

  • Merchants: when you place an order, we share the data necessary to fulfil it (name, address, contact, items).
  • Service providers / processors: hosting, analytics, email delivery, customer support, fraud prevention, AI inference, and payments, all bound by GDPR Art. 28 contracts.
  • Agent platforms and developers: only the data required by an integration you have authorised.
  • Corporate transactions: in connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality.
  • Legal and safety: to comply with law, enforce our agreements, or protect rights, property, and safety.

We do not sell personal data, and we do not "share" it for cross-context behavioural advertising as defined under the CCPA/CPRA.

6. International Data Transfers

Pointbasin operates globally. Personal data may be transferred to, stored in, and processed in countries other than your own, including the United States. Where we transfer personal data outside the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum, the EU-U.S. Data Privacy Framework (where applicable), and supplementary technical and organisational measures including encryption in transit and at rest.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, comply with legal obligations (e.g., tax records for up to ten years), resolve disputes, and enforce agreements. Account data is deleted or anonymised within ninety days of account closure, unless retention is required by law. Aggregated, de-identified data may be retained indefinitely.

8. Your Rights

Subject to applicable law, you may exercise the following rights by contacting privacy@pointbasin.com or through your account settings:

  • Access a copy of your personal data.
  • Rectification of inaccurate or incomplete data.
  • Erasure ("right to be forgotten"), subject to legal retention requirements.
  • Restriction of processing in certain circumstances.
  • Data portability in a structured, commonly used, machine-readable format.
  • Objection to processing based on legitimate interests or for direct marketing.
  • Withdraw consent at any time where processing is based on consent.
  • Not be subject to a decision based solely on automated processing with legal or similarly significant effects, except where permitted by law with appropriate safeguards.
  • Lodge a complaint with your local supervisory authority (e.g., the Irish DPC for EEA users, the ICO for UK users).
  • CCPA/CPRA rights for California residents: know, delete, correct, limit use of sensitive personal information, and opt out of sale/sharing (we do neither).

We will respond within thirty days, extendable by sixty days for complex requests, in accordance with Art. 12 GDPR.

9. Security

We implement administrative, technical, and physical safeguards designed to protect personal data, including TLS encryption in transit, encryption at rest, least-privilege access controls, multi-factor authentication for staff, secret rotation, continuous monitoring, vulnerability scanning, and regular penetration testing. No system is perfectly secure; you are responsible for keeping your credentials confidential and notifying us of any suspected unauthorised access.

In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within seventy-two hours and affected individuals without undue delay, as required by Art. 33 and 34 GDPR.

10. Children

The Services are not directed to children under sixteen (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@pointbasin.com and we will delete it.

11. Automated Decision-Making and AI

Pointbasin uses AI to power product discovery, agentic checkout, fraud scoring, and recommendations. Significant decisions, such as cancelling a transaction or suspending an account, are reviewed by a human before taking effect. You have the right to request human intervention, express your point of view, and contest such decisions.

12. Changes to This Policy

We may update this Policy from time to time. Material changes will be notified by email or an in-product notice at least thirty days before they take effect. The "Last updated" date at the top reflects the latest revision.

13. Contact

Questions, requests, or complaints can be sent to privacy@pointbasin.com. We aim to resolve privacy concerns directly; you also have the right to contact your local data-protection authority.

Privacy PolicyTerms of ServiceCookies Policy← Back home